CVE-2026-34459 is a stack-based buffer overflow vulnerability in Sandboxie-Plus (versions prior to 1.17.3) affecting the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler. The vulnerability chain begins with an information leak caused by returning up to 32KB of uninitialized stack memory when an IPC request has cbSize set to 0. This leak exposes return addresses and stack cookies, bypassing ASLR and /GS protections. Subsequently, an unchecked memcpy with an attacker-controlled length allows a stack buffer overflow within a 32KB stack buffer. By combining these two flaws, an attacker can execute a ROP chain to escalate privileges to SYSTEM, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent ROP chain execution but do not mitigate the initial information leak. The vulnerability is resolved in Sandboxie-Plus version 1.17.3.

Exploitation of this vulnerability allows a sandboxed process to bypass sandbox isolation and escalate privileges to SYSTEM level on affected Windows systems. This can lead to full system compromise from a restricted sandbox environment. Hardware-enforced shadow stacks mitigate the exploitation of the overflow but do not prevent the information leak, which still poses a security risk. There are no known exploits in the wild at this time.

This vulnerability is fixed in Sandboxie-Plus version 1.17.3. Users should upgrade to version 1.17.3 or later to remediate this issue. No other official remediation or temporary fixes are documented. Until upgrading, users should be aware of the risk of sandbox escape via this vulnerability.